Privacy Policy
Effective Date: March 2, 2026
Your Privacy Matters to Extropolis
This Privacy Policy governs your relationship with Extropolis Corp. (“Extropolis,” “we,” “our,” or “us”). Protecting our users (“you,” “your,” or “their”) and their privacy is a core principle of Wastehunter. This Privacy Policy helps you understand:
- What information we collect (and what we don’t)
- How your data flows through our system
- How we protect your privacy
- Your rights regarding your information
This Privacy Policy governs your access to and use of the Wastehunter website located at wastehunter.app and any related digital mediums owned and maintained by Extropolis (collectively, the “Website”), as well as the financial statement analysis services provided through the Website (collectively, the “Services”).
By accessing and using the Website and Services, you acknowledge that you have read and understood this Privacy Policy. Where we process data to perform the free analysis or the optional paid deep-dive service you have requested, the legal basis is performance of a contract. Where we process data for security and infrastructure purposes, the legal basis is our legitimate interest in operating a secure service.
I. Our Privacy-First Design
How Wastehunter Works
Wastehunter is designed from the ground up to minimize data collection. Here is exactly how your data flows:
- PDF Processing (Client-Side Only): Your PDF bank and credit card statements are processed entirely in your web browser using PDF.js. Your PDF files are never uploaded to our servers.
- Free AI Analysis: When you choose to analyze your statements, the extracted text is sent to Anthropic’s Claude API for analysis. This happens without payment — the full analysis is free. This is the only time your statement data leaves your browser. See Section IV (“Third-Party Service Providers”) below for important details.
- Optional $3 Deep Dive (Stripe): If you choose to unlock the deep-dive sections of your report, you are redirected to Stripe’s hosted checkout page for a $3 one-time payment. We never see, handle, or store your credit card number, billing address, or other payment details. See Stripe’s Privacy Policy for details.
- Report Delivery & Expiration: Your report is temporarily cached in a server-side session store for delivery. All session data — including extracted text and the generated report — is automatically and permanently deleted after 1 hour.
Our Privacy Assurances
- No account required. We do not require registration, login, email, or any form of identity verification.
- No personal information requested. We do not ask for or collect your name, email address, phone number, home address, or any other personally identifiable information. Standard server logs may record IP addresses for security purposes only (see Section II).
- PDFs never leave your device. Your PDF files are processed entirely in your browser. They are never uploaded to or stored on our servers.
- No persistent database. Session data is stored temporarily with a 1-hour expiration and cannot be recovered after deletion.
- No data selling. We do not sell any user data to any person or company.
- No tracking across sessions. We do not use cookies, analytics platforms, or tracking tools to identify or follow you across sessions.
- Free core analysis. The initial spending analysis is completely free — no payment required.
- Automatic refunds on failure. If the optional deep-dive unlock fails after payment, your payment is automatically refunded.
II. Information We Collect
Information You Provide
Because Wastehunter requires no account and no login, we collect minimal information:
| Information | When Collected | Purpose | Stored? |
|---|---|---|---|
| Extracted text from PDF statements | When you request a free analysis | Sent to Anthropic’s Claude API for AI analysis | Temporarily (1-hour session, then permanently deleted) |
| Stripe Checkout Session ID | When you purchase the optional $3 deep dive | To link your payment to your report session | Temporarily (1-hour session, then permanently deleted) |
| Payment Intent ID | When deep-dive payment completes (via Stripe webhook) | To process automatic refunds if unlock fails | Temporarily (1-hour session, then permanently deleted) |
We do not collect:
- Your name, email, phone number, or any contact information
- Your PDF files (they never leave your browser)
- Your credit card or billing information (handled entirely by Stripe)
- Your IP address for identification or tracking purposes
- Browser fingerprints or device identifiers for tracking
Information from Internet Use
Our servers may automatically log standard connection information such as IP addresses and request timestamps as part of normal web server operation. These server logs are used solely for infrastructure monitoring and security (e.g., detecting abuse or denial-of-service attacks) and are not linked to any user session or personal identity.
Cookies: Wastehunter uses only a minimal session cookie to maintain your session during a single visit. This cookie contains only a session identifier, expires when your session ends or after 1 hour (whichever comes first), and cannot be used to identify you across visits. We do not use analytics cookies, advertising cookies, or any third-party tracking cookies.
Do Not Track: Wastehunter does not track users across sessions or across third-party websites. Because we do not engage in tracking, “Do Not Track” browser signals are not applicable to our Services. We do not change our data practices in response to Do Not Track signals.
III. Disclosure to Law Enforcement and Government Authorities
We may disclose the limited information we possess (server logs containing IP addresses and request timestamps) to governmental or law enforcement authorities if we believe in good faith that disclosure is: (a) required by applicable law, regulation, or legal process; (b) necessary to respond to a lawful request from public authorities; (c) necessary to protect the rights, property, or safety of Extropolis, our users, or the public; or (d) necessary to detect, prevent, or address fraud, security issues, or technical problems.
Because Wastehunter does not collect personal information, require accounts, or maintain persistent user records, we have extremely limited data available to disclose in response to any such request.
IV. Third-Party Service Providers
Stripe (Payment Processing)
We use Stripe to process payments. When you purchase a report, you interact directly with Stripe’s hosted checkout page. Stripe collects your payment information (credit card number, billing address, etc.) independently — we never see or store this data.
Anthropic (AI Analysis Provider)
We use Anthropic’s Claude API to analyze your extracted statement text and generate your financial report.
What is sent to Anthropic: The text extracted from your PDF statements (transaction descriptions, amounts, dates, merchant names, and other text content).
What Anthropic does with it: As of the date of this Privacy Policy, according to Anthropic’s usage policy, data sent through their API is not used to train their AI models. However, Anthropic may retain API inputs and outputs for up to 30 days for trust and safety purposes (e.g., detecting abuse). These policies are subject to change by Anthropic at any time.
What we cannot control: Once your extracted statement text reaches Anthropic’s servers, Anthropic’s own policies govern how that data is handled, retained, and deleted.
We strongly encourage you to review Anthropic’s policies before using Wastehunter:
Hosting Provider
Our application is hosted on Railway. Railway provides infrastructure services and may process standard server logs (IP addresses, request metadata) as part of their hosting services.
V. How We Use Your Information
We use the limited information we collect solely for the following purposes:
| Use | Legal Basis |
|---|---|
| To generate your AI-powered financial analysis report | Performance of the free service you requested |
| To process your optional $3 deep-dive payment via Stripe | Performance of the service you requested |
| To issue automatic refunds if deep-dive unlock fails | Our legitimate interest in fair business practices |
| To maintain server infrastructure and prevent abuse | Our legitimate interest in operating a secure service |
We do not use your information for marketing, profiling, sale to third parties, training AI models, or any purpose beyond delivering your free analysis and optional deep-dive report.
VI. Data Retention
| Data | Retention Period |
|---|---|
| Extracted statement text | Deleted automatically after 1 hour |
| Generated report | Deleted automatically after 1 hour |
| Session metadata (Stripe IDs, status) | Deleted automatically after 1 hour |
| Server logs (IP, timestamps) | Retained for up to 30 days, then deleted |
After session expiration, your data cannot be recovered by us or anyone else. We do not maintain backups of session data.
Third-party retention: Stripe and Anthropic maintain their own retention schedules as described in their respective privacy policies.
VII. Data Security
- Client-side PDF processing: Your PDF files are never transmitted over the network.
- HTTPS encryption: All data transmitted between your browser and our servers is encrypted using TLS/SSL.
- Ephemeral sessions: Session data is stored with automatic expiration (1-hour TTL).
- No persistent storage: We do not operate a persistent database.
- Stripe-hosted checkout: Payment processing is handled entirely by Stripe’s PCI DSS-compliant infrastructure.
While we take reasonable precautions to protect your information, no method of electronic transmission or storage is 100% secure. We cannot guarantee absolute security.
Breach Notification: In the unlikely event that we become aware of a security breach affecting data in our possession, we will notify affected users to the extent possible and as required by applicable law. Because Wastehunter does not collect email addresses or contact information, we may be unable to directly notify individual users. In such cases, we will post a conspicuous notice on the Website and take all other steps required by applicable breach notification laws.
VIII. Children’s Privacy
Wastehunter is not intended for use by children under the age of 13 (or 16 in the EEA/UK). We do not knowingly collect information from children. If you believe a child has used our Services inappropriately, please contact us.
IX. Links to Other Websites
The Website may include links to third-party websites (such as Stripe and Anthropic). This Privacy Policy applies only to Wastehunter. We are not responsible for the privacy practices of other websites.
X. Your Rights
All Users
Because Wastehunter does not request personal information and maintains no user accounts or persistent records, most traditional data rights are satisfied by design. The only information that may qualify as personal data is IP addresses in server logs (retained up to 30 days for security):
- Access: We do not maintain any personal information about you beyond your active session.
- Deletion: All session data is automatically and permanently deleted after 1 hour.
- Portability: Your report is available for download during your active session.
California Residents (CCPA)
Under the California Consumer Privacy Act (CCPA), California residents have rights including: knowing what personal information is collected, opting out of its sale, requesting deletion, and non-discrimination.
The only information that may qualify as personal information under the CCPA is IP addresses recorded in standard server logs, which are retained for up to 30 days for security purposes and then deleted. We do not sell personal information. We do not use personal information for profiling, advertising, or any purpose beyond security monitoring. If you are a California resident and wish to request deletion of server log data containing your IP address, please contact us at the email address below.
EEA, UK, and Switzerland Residents (GDPR)
If you are a resident of the European Economic Area, the United Kingdom, or Switzerland, you may have rights under the GDPR including: access, rectification, erasure, restriction of processing, data portability, and the right to object.
Because we do not collect or store personal data beyond ephemeral session information that auto-deletes within 1 hour, these rights are satisfied by our architecture. We process the minimal data necessary to perform the service you explicitly request and pay for (legal basis: performance of a contract).
If you believe our processing of your data is inconsistent with your rights under the GDPR, you have the right to lodge a complaint with the Data Protection Supervisory Authority of your country. For purposes of the GDPR, Extropolis Corp. is the “controller.”
International Visitors
The Website is hosted in the United States. If you access the Website from outside the United States, please be aware that your information (specifically, extracted statement text sent for AI analysis) may be transferred to and processed in the United States. This transfer is necessary to perform the service you have requested and paid for (legal basis: performance of a contract). The United States may not have the same data protection laws as your country of residence.
XI. Updates to This Privacy Policy
We may update this Privacy Policy from time to time. Changes are effective upon posting to the Website. Your continued use of the Website after any changes constitutes acceptance of the updated Privacy Policy.
This Privacy Policy supplements, but does not replace, the Terms of Service. In the event of a conflict between this Privacy Policy and the Terms of Service regarding privacy matters, this Privacy Policy shall govern.
XII. Contact
If you have any questions, concerns, or requests regarding this Privacy Policy, please contact us at:
Email: [email protected]
We will promptly investigate and respond to your inquiry.
Last Updated: March 2, 2026